1 files changed, 62 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
new file mode 100644
index 0000000000..59640859dd
--- /dev/null
+++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
@@ -0,0 +1,62 @@
+From f7d268864a2660b7239b9a8ff5ad37faeeb751ba Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Wed, 3 Jun 2020 22:41:02 +0300
+Subject: [PATCH 2/3] WPS UPnP: Fix event message generation using a long URL
+ path
+More than about 700 character URL ended up overflowing the wpabuf used
+for building the event notification and this resulted in the wpabuf
+buffer overflow checks terminating the hostapd process. Fix this by
+allocating the buffer to be large enough to contain the full URL path.
+However, since that around 700 character limit has been the practical
+limit for more than ten years, start explicitly enforcing that as the
+limit or the callback URLs since any longer ones had not worked before
+and there is no need to enable them now either.
+Upstream-Status: Backport
+CVE: CVE-2020-12695 patch #2
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ src/wps/wps_upnp.c       | 9 +++++++--
+ src/wps/wps_upnp_event.c | 3 ++-
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+diff --git a/src/wps/wps_upnp.c b/src/wps/wps_upnp.c
+index 7d4b7439940e..ab685d52ecab 100644
+--- a/src/wps/wps_upnp.c
+++ b/src/wps/wps_upnp.c
+@@ -328,9 +328,14 @@ static void subscr_addr_add_url(struct subscription *s, const char *url,
+        int rerr;
+        size_t host_len, path_len;
+-       /* url MUST begin with http: */
+-       if (url_len < 7 || os_strncasecmp(url, "http://", 7))
+       /* URL MUST begin with HTTP scheme. In addition, limit the length of
+        * the URL to 700 characters which is around the limit that was
+        * implicitly enforced for more than 10 years due to a bug in
+        * generating the event messages. */
+       if (url_len < 7 || os_strncasecmp(url, "http://", 7) || url_len > 700) {
+               wpa_printf(MSG_DEBUG, "WPS UPnP: Reject an unacceptable URL");
+                goto fail;
+       }
+        url += 7;
+        url_len -= 7;
+diff --git a/src/wps/wps_upnp_event.c b/src/wps/wps_upnp_event.c
+index d7e6edcc6503..08a23612f338 100644
+--- a/src/wps/wps_upnp_event.c
+++ b/src/wps/wps_upnp_event.c
+@@ -147,7 +147,8 @@ static struct wpabuf * event_build_message(struct wps_event_ *e)
+        struct wpabuf *buf;
+        char *b;
+-       buf = wpabuf_alloc(1000 + wpabuf_len(e->data));
+       buf = wpabuf_alloc(1000 + os_strlen(e->addr->path) +
+                          wpabuf_len(e->data));
+        if (buf == NULL)
+                return NULL;
+        wpabuf_printf(buf, "NOTIFY %s HTTP/1.1\r\n", e->addr->path);
+--
+2.20.1

diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch new file mode 100644 index 0000000000..59640859dd --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch
@@ -0,0 +1,62 @@
	1	From f7d268864a2660b7239b9a8ff5ad37faeeb751ba Mon Sep 17 00:00:00 2001
	2	From: Jouni Malinen <jouni@codeaurora.org>
	3	Date: Wed, 3 Jun 2020 22:41:02 +0300
	4	Subject: [PATCH 2/3] WPS UPnP: Fix event message generation using a long URL
	5	path
	6
	7	More than about 700 character URL ended up overflowing the wpabuf used
	8	for building the event notification and this resulted in the wpabuf
	9	buffer overflow checks terminating the hostapd process. Fix this by
	10	allocating the buffer to be large enough to contain the full URL path.
	11	However, since that around 700 character limit has been the practical
	12	limit for more than ten years, start explicitly enforcing that as the
	13	limit or the callback URLs since any longer ones had not worked before
	14	and there is no need to enable them now either.
	15
	16	Upstream-Status: Backport
	17	CVE: CVE-2020-12695 patch #2
	18	Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
	19	Signed-off-by: Armin Kuster <akuster@mvista.com>
	20
	21	---
	22	src/wps/wps_upnp.c \| 9 +++++++--
	23	src/wps/wps_upnp_event.c \| 3 ++-
	24	2 files changed, 9 insertions(+), 3 deletions(-)
	25
	26	diff --git a/src/wps/wps_upnp.c b/src/wps/wps_upnp.c
	27	index 7d4b7439940e..ab685d52ecab 100644
	28	--- a/src/wps/wps_upnp.c
	29	+++ b/src/wps/wps_upnp.c
	30	@@ -328,9 +328,14 @@ static void subscr_addr_add_url(struct subscription s, const char url,
	31	int rerr;
	32	size_t host_len, path_len;
	33
	34	- /* url MUST begin with http: */
	35	- if (url_len < 7 \|\| os_strncasecmp(url, "http://", 7))
	36	+ /* URL MUST begin with HTTP scheme. In addition, limit the length of
	37	+ * the URL to 700 characters which is around the limit that was
	38	+ * implicitly enforced for more than 10 years due to a bug in
	39	+ * generating the event messages. */
	40	+ if (url_len < 7 \|\| os_strncasecmp(url, "http://", 7) \|\| url_len > 700) {
	41	+ wpa_printf(MSG_DEBUG, "WPS UPnP: Reject an unacceptable URL");
	42	goto fail;
	43	+ }
	44	url += 7;
	45	url_len -= 7;
	46
	47	diff --git a/src/wps/wps_upnp_event.c b/src/wps/wps_upnp_event.c
	48	index d7e6edcc6503..08a23612f338 100644
	49	--- a/src/wps/wps_upnp_event.c
	50	+++ b/src/wps/wps_upnp_event.c
	51	@@ -147,7 +147,8 @@ static struct wpabuf * event_build_message(struct wps_event_ *e)
	52	struct wpabuf *buf;
	53	char *b;
	54
	55	- buf = wpabuf_alloc(1000 + wpabuf_len(e->data));
	56	+ buf = wpabuf_alloc(1000 + os_strlen(e->addr->path) +
	57	+ wpabuf_len(e->data));
	58	if (buf == NULL)
	59	return NULL;
	60	wpabuf_printf(buf, "NOTIFY %s HTTP/1.1\r\n", e->addr->path);
	61	--
	62	2.20.1